Electronic combination lock with high security features

ABSTRACT

A self-powered electronic combination lock including a lock mechanism having locked and unlocked conditions. A rotatable dial is used to input a numerical combination code for changing the lock mechanism from the locked condition to the unlocked condition. An electronic display operates to display individual numbers of the combination code as the dial is rotated and a control is electrically connected with the dial and the electronic display. The control changes the numbers shown in the display as the dial is rotated in a single direction and the control is operable to sense a change in the direction of dial rotation. An electricity generating device is connected with the dial and the control and operates through dial rotation to generate electricity to power the control.

BACKGROUND OF THE INVENTION

Mechanical combination locks such as those found on safes, vaults,cabinets and other high security enclosures are well known and subjectto a number of attacks, such as by drilling, manipulation, and operationby dialer controlled by a computer.

Recently an electronic combination lock for such enclosures has beeninvented which provides the opportunity to greatly increase the level ofsecurity afforded by the lock, while at the same time overcomes many ofthe shortcomings of the prior art mechanical locks.

A dial type combination lock relies on the rotation of a dial topositions represented by numbers on the dial to rotate mechanicalelements within the lock, such that the wheels of the mechanism align toallow a bar to drop into the wheels and retract the lock bar or bolt,allowing the enclosure to be opened.

The electronic combination lock does not have the equivalent mechanicalelements and, therefore, can not be attacked in the same manner. Forexample, the mechanical lock may be drilled to permit the insertion ofan optical device into the lock mechanism to observe the positions ofthe wheels and thus their alignment which permits the opening of theenclosure without the knowledge of the combination.

The electronic lock cannot be drilled for a similar purpose since theelectronic lock mechanism will not reveal the position of any elementwhich would be helpful for the attacker to observe and which would givethe attacker any information as to the steps need to unlock the device.

The mechanical lock has a fixed position of internal elements relativeto the dial and thus may be observed with the movements of the dialrepeated by the attacker, at a later time.

The electronic lock does not have a fixed dial to number positionrelation and thus observation of the movement of the dial is much moredifficult if not impossible.

Dialers exist which may be attached to the knob of a dial on acombination lock and which dial combinations under the control of acomputer. As each combination fails, the computer then continues to dialother combinations to eventually unlock the lock.

With a combination lock of the mechanical type and sufficient time, adialer is particularly effective.

The electronic combination locks are dependent upon electronic pulsesbeing generated to indicate to the electronic controls, that the dial isbeing rotated and in which direction. The pulses may be generated byconventional pulse generation means when a voltage supply is provided topower the pulse generator.

Alternatively, pulses may be generated by the operation of the lock andthe the voltage pulses provide a power source for the operation of thelock.

This type of power source eliminates the need for a separate powersource for the system, such as a battery or other external voltagesupply.

With the control of the device by a series of voltage pulses, the use ofthe pulses may be used to further control functions of the lock.

SUMMARY OF THE INVENTION

The electronic combination lock disclosed and described herein is acombination lock having a dial which has no divisions or markingsrelating to the numbers of the combination thereon. The rotation of thedial drives a generator which produces electrical pulses. The voltagepulses serve as a power source for the electronics of the lock and tofurther indicate to the microprocessor the speed and direction ofrotation of the dial.

Through a random number generator, the micro processor generates apsuedo-random number which is then displayed on a display which ismounted in proximity to the dial.

The rotation of the dial of the lock is accomplished in a manner veryclosely related to the manner of the rotation of the dial of aconventional mechanical combination lock.

When the numbers of the combination have been entered through dialrotation, the microprocessor compares the combination with theauthorized combination; if the same, a signal is sent to the motor thatwill engage the latch with the bolt retractor and connect the boltthrough mechanical connections, to the dial so that when the dial isfurther rotated in the proper direction the bolt will be retracted andthe enclosure is then opened.

The microprocessor is controlled by a coded program. The ability tocontrol the microprocessor with a microcoded control program is a majoradvantage in that the several functions and features may be added tomake the lock mechanism and the enclosure more secure.

In order for a dialer to be effective, the relationship between the dialrotation and the numbers entered must be correllated so that a 3.6degree rotation of the dial increments or decrements the entry number byone unit for a 100 unit dial. The generation of a random number withinthe microprocessor at the beginning of each number entry operation andthe use of that random number as the starting point for the sequence ofnumbers displayed, eliminates the correllation of the number beingdisplayed and eventually entered, and the dial position.

When the dial is rotated, the generator creates pulses and these pulsesare received by and counted by the microprocessor. As the pulses areaccumulated, the pulses are also timed and the speed of rotation of thedial is determined. As the speed of the rotation of the dial varies, therate of change of the displayed numbers is changed. This is accomplishedso that at a high rate of rotation the displayed numbers may change at ahigh rate while at the lower rates of rotation, the rate of change ofthe displayed numbers may be by single units at a slower rate withrespect to the amount of dial rotation. Further the number of degreesthe dial must be turned to effect the change of the displayed numberwill vary so that there is no consistent amount of rotation required tochange the displayed number by one unit. This aspect of the lock alsoacts to foil the use of a computer controlled dialer.

The timing capabilities of the lock provides the opportunity todetermine the time used in the entering of the combination. If the totaltime of entry is either too short, indicating that the lock is underattack by a device rather than a human hand, or if the time to enter thecombination is too long, indicating that the operation of the lock isbeing attacked by other than a person having knowledge of an authorizedcombination, the lock is prevented from opening even if the authorizedcombination is subsequently entered.

As the connection between the dial and the generator is mechanical and,therefore, a predictable one, the number of pulses received by themicroprocessor indicates the rotational displacement of the dial. Therotational movement of the dial by the hand of a human being is suchthat the dial is generally turned less than 360 degrees and then thedial is stopped while the operator releases the dial and acquires a newgrasp of the dial. The stopping of the dial acts to allow a timer to runand if the stop period is less than a predetermined period that isrelated to human reaction time, the stop of the dial is not recognizedas a stop of the dial. When the dial is rotated more than 480 degrees or1.33 revolutions without a recognized stop, the lock is probably underattack by a device or at the very least by an unconventional dialingtechnique and the lock will not open even, if the authorized combinationis entered.

Dialers are capable of reversing directions of the dial in very shorttimes and depend upon speed to open a combination lock in a reasonablyshort time period without detection. This lock requires the dial bestopped or stationary for a short time periodically. One of those timesoccurs as the dial is reversed to enter the number just dialed and tostart access to the next number to be entered. The timing of the stoppedperiod of the dial insures both that a dialer is not being used and itextends the time that is necessary to open the lock by dialing allpossible combinations until the lock is unlocked by the propercombination. If the dial is reversed in less than the predetermined timeperiod required to detect a stop of the dial, the microprocessor willnot recognize the stop and the incrementing/decrementing of the numberson the display will continue in whichever sense they were changing. Thiswill foil the entry of a correct number and will set up a conditionwhere the lock will refuse to open due to more than a 1.33 revolution ofthe dial without a stop.

The microprocessor will also keep a count record of all the failedattempts to open the lock since the last successful operation. If thenumbers of trys or attempts to unlock the lock equals or exceeds thenumber set in the microprocessor microcode, the lock will fail to openeven if an authorized combination is subsequently entered, prior topower down. After an error indication is displayed, the lock is disabledto prevent further entry tries, until power down and power up.

The self contained generation of power for the lock electronics andcontrols creates a major advantage since there is no need to provide apower source such as a battery. The life of an operational power chargeis limited, without further rotation of the dial, and thus resets arenot externally required. When a condition is created where the lock willnot open even with the eventual entry of the authorized combination, thelock electronics must be reset. The reset is accomplished by letting thelock stand idle for a predetermined period of time without the dialrotation. Further rotation of the dial is ineffective to cause the lockto unlock. Waiting for the predetermined time out to reset the lock is amajor deterrent to the success of a dialer which is dependent upon speedand non detection.

The timing capability of the electronic lock provides an opportunity toprevent the use of a practice common with mechanical locks. To accessthe safe or vault on a short notice, it is common to dial in the firsttwo numbers of a combination and then to not enter the third number.When the operator is ready to access the vault or safe, the third andfinal number of the combination is entered and the enclosure is opened.

This common and dangerous security violation, which severely compromisesthe security of the enclosure, is overcome by the requiring of thecomplete entry of the combination within a preselected time period. Theentry of two of three combination elements and the delayed entry of thethird until after the relatively short time period has expired, causesthe scrambling of the entered combination numbers and the lock requiresthe complete combination to be entered again.

The use of multiple combinations to open a lock is possible with thiselectronic lock even from a single lock mechanism. The mechanical lockmechanisms are not capable of multiple combinations being entered into asingle lock. Accordingly multiple lock mechanisms are required formultiple combinations to be used to enter the enclosure. The presentelectronic lock accepts multiple combinations in what is referred to asa dual mode, requiring dual combinations. The combinations may beentered in any order, but if an error is made in either combination thelock will not signal that an error was made until after the secondcombination is entered, thereby not informing the attacker of the partof the procedure which was in error. The two combinations may beconsidered as a single 12 digit combination raising the security levelof the lock, even though the combination is possessed by a singleindividual.

The lock may also be conditioned to accept the two separate combinationsin a required order. The first combination required is referred to asthe senior and the later combination the subordinate. When properlyentered, the senior combination enables the lock to accept thesubordinate combination at any later time. The repeated entry of thesenior combination deactivates the lock such that it will not accept thesubordinate combination until reactivated.

The electronic lock contains two counters that may be used for securitymonitoring. The first counter is an error counter which is incrementedeach time that the lock is unsucessfully operated. This count isretained in nonvolatile memory and the contents of the error counterdisplayed on the display at the time of power on, if greater than two.The authorized operator of the lock is shown an indication of the factthat the lock has been attacked and that the lock was not opened, sincethe number in the error counter is not reset until a proper combinationis entered and the lock unlocked.

The second of the counters is referred to as the seal counter. The sealcounter is incremented by one with each successful opening of the lock.It is never reset. With four digits, the maximum count is 9,999 andwould require over 80 hours of dialing the correct combination toincrement the count completely around to the number originally on thedisplay prior to attack, if correct combinations were entered at therate of two per minute. Thus by monitoring the the error and sealcounters, the attack of the lock by an unauthorized individual isapparent and whether the lock was properly operated to access theenclosure is known to the authorized operator.

The combination of the lock may be changed if the combination is notknown or forgotten, by using the serial number of the lock as atemporary combination. This allows locks that have been stored ininventory to be properly recombinationed by using the serial number ofthe lock, but does not allow one with the serial number of the lock butnot the authorized combination to change the combination for laterseemingly authorized access to the enclosure.

The invention described and claimed herein takes advantage of theelectronic pulse control of the electronic lock and therefore it is anobject of the invention to increase the security level of the lock.

Another object of the invention is to render the lock more resistant tothe attack of the lock through attack by drilling or penatrating thelock mechanism housing for purposes of observation of the lock device.

An additional object of the invention is to render the lock safe fromsuccessful attack for a substantial period of time by use of a dialerdevice.

Another object of the invention is to disable the lock from becomingunlocked, when the conditions of the combination input are such thatthey fail to fall within preselected parameters to insure that the lockis not being attacked with a dialer.

It is a still additional object of the invention to render the lockinoperative when predetermined input parameters are not met and thefailure of the parameters to be met-suggests that the lock operation isby other than by a human being authorized to unlock the lick.

It is another object of the invention to prevent the lock from unlockingwhen the period of uninterrupted rotation of the dial of the electroniclock is in excess of a predetermined period.

It is another object of the invention of prevent the lock from unlockingwhen the amount of the dial rotation exceeds a predetermined amount, ina direction, without stopping the dial movement.

It is a still further object of the invention to prevent the lock fromunlocking when the dial direction changes occur with such speed that thedial is probably not operated by the hand of a human being.

An additional object of the invention is that the lock will not operateto unlock if the dialing time exceeds a predetermined amount of timewithout either successful entry of the combination or the lock beingpowered down.

It is a another object of the invention to defeat the use of a dialer byvarying the correlation between dial displacement and numericalincrementation, depending on the speed of rotation of the dial.

It is still an additional object of the invention to inhibit the use ofa dialer by initiating all sequences of numbers displayed by the lock ata random number which has no relation to the last combination numberelement entered.

Another object of the invention is provide the ability to reverse andrecover if a number is passed in the dialing, without having to restartthe combination entry.

Still another object of the invention is to provide in a singlecombination lock the capability of requiring entry of multipleauthorized combinations prior to the lock being unlocked.

An additional object of the invention is to provide to the operator ofthe lock a visual display of numbers that will indicate that the lockhas been attacked and the number of times the lock has been successfullyoperated.

A still further object of the invention is to provide the capability ofopening the lock and changing the combination of the lock, undercontrolled conditions, so that the combination of the lock may bechanged or set when there is no record or recollection of thecombination when the lock was stored.

The foregoing objects of the invention are accomplished by theelectronic controls of the lock, as will become more apparent from thedetailed description of the invention to follow.

The foregoing objects aspects and advantages of the invention willbecome apparent from the drawings and the detailed description of theinvention that will follow.

DESCRIPTION OF THE DRAWINGS

FIG. 1 shows the electronic lock positioned on the door of a safe orvault and shows the location of the display and the dial of the lockwith no markings as are conventional on mechanical combination locks.

FIG. 2 is a schematic diagram of the lock and its associatedelectronics.

FIG. 3 is a flow diagram of the logic control of the microprocessor ofthe electronic lock, showing the overall operation and control of thelock.

FIG. 4 is a logic flow diagram representing the logic and operations todisplay numbers and symbols on the display.

FIG. 5 is a logic flow diagram showing the logic operations that preventthe lock from opening if the combination is entered correctly, but inless than a predetermined amount of time.

FIG. 6 is a logic flow diagram showing the logic operations that monitorthe amount of time that has elapsed for the start of the openingoperation with power up to the present, and the control of the lock toprevent the opening of the lock if the time required to enter an validcombination exceeds a predetermined amount of time.

FIG. 7 shows the logic flow diagram representing the logic operationsthat control the electronics to prevent the total dialing period withouta dial stop from exceeding a predetermined time and if so to preventopening the lock, and to further insure that when the dial is leftunturned for a preselected time, the lock will not open without theentry of the entire combination.

FIG. 8 is a logic flow diagram representing the logic control of theelectronic lock to detect whether the dial of the lock has been turnedmore than than 480 degrees without the dial stopping for a period ofmore than a predetermined amount.

FIG. 9 is a logic flow diagram representing the logic control operationsto detect the stopping of the dial and the timing of the stop, and ifthe stop time is sufficient to recognize dial rotation reversal, then toreverse the direction of the numbers displayed on the display.

FIG. 10 is a logic flow diagram showing the logic control operationsthat tabulate the number of times errors occur in attempting to open thelock, and the preventing of the opening of the lock if the number oferroneous attempts exceeds a predetermined number, with the resultinglock out of the opening commands and disabling of the display, if thecorrect combination is entered.

FIG. 11 is a logic flow diagram that shows the logic control operationsto permit the recovery from a condition where the number displayed ispast the target number by less than 3 and allows the operator to reversethe display sequence and return to a number that is four units prior tothe displayed number and to approach the target number again.

FIGS. 12 and 13 are logic flow diagrams that illustrates the logiccontrol operations of the microprocessor to convert the speed of thedial rotation into a rate of incrementation of the displayed number.

FIG. 14 is a logic flow diagram illustrating the feature where theserial number of a lock is used to operate the lock, under somecircumstances.

FIG. 15 is a logic flow diagram illustrating the logic and operationswhich control the use of and displaying of the contents of the error andseal counters.

FIGS. 16A, 16B, 16C, 17, 18, 19, 20 and 21 are flow diagrams expandingoperations illustrated in previous figures.

FIGS. 22 and 23 illustrate alternative embodiments of the featurecausing the lock to not open after a predetermined number of consecutiveerroneous attempts, in logic flow form.

A more complete understanding of the invention may be acquired from thefollowing detailed description of the invention that follows.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT OF THE INVENTION

Referring to FIG. 1, the lock 10 in which the invention is embodied isshown mounted on a safe or vault door 12. The dial 14 is surrounded by ahousing 16 which shrouds the periphery of the dial 14 and supports thedisplay 18. If preferred, display 18 may be mounted separately from thedial 14. The dial is a Liquid Crystal Display (LCD) module, but could beany other low power consumption display device. The dial 14 is attachedto a shaft 20 extending out the back of the dial mechanism, through thewall of the safe or vault door 12 and into housing 22 of the electronics24 of the lock 10.

Extending from the housing 22 is a bolt 26 that is used to hold the door12 shut when extended. Also contained in the housing 22 are themechanical linkages and mechanisms which retract or extend the bolt 26of the lock 10.

In FIG. 2, the dial 14 is connected to the rotor 28 and to the retractordrive 30. Rotor 28 is a segmented magnetic member having a plurality ofmagnetic segments 32. The number of magnet segments 32 on the rotor 28is not critical and may selected to provide as many field directionchanges as desired per revolution of the rotor. The magnetic fields ofthe magnetic segments 32 extend to and interact with the coils 34 whichare placed in proximity to the rotor 28, to generate a pulse ofelectricity. The generator 29 may be a stepper motor driven as agenerator. As the rotor 28 is rotated by the dial 14 and shaft 20, aseries of pulses are generated which are fed to the power control andpulse shaping device 36. The shaping of the pulses is accomplished bycircuitry that is conventional and forms no part of this invention. Thepulses are then fed to the microprocessor 44 over the two phase lines 38and 40. The pulses are out of phase-so they may be used to determine thedirection of the rotation of the rotor 28.

The power control and pulse shaping device 36 also charges an internalcapacitor with the pulses of electricity generated by the rotor 28 andcoils 34. The voltage of the capacitor is then supplied over the powerline 42 to the microprocessor 44. The microprocessor 44 is powered for alimited time with the voltage, and the charge is stored in a capacitorwithin the power control 36. Powered time of the microprocessor 44 isdependent upon the capacitance of the capacitor and the current drain ofthe microprocessor 44 and display 18. The size of the capacitor isselected in coordination with the power requirements of the remainder ofthe system to provide power to the system for approximately 90 secondsafter the dial 14 and the rotor 24 have ceased to rotate. This timeperiod provides adequate time to open the lock 10 or to pause in theentry of the combination without losing the previously entered elementsof the combination. On the other hand, the time period is long enough toprovide a significant delay in the reset of the lock electronics 24after the lock has become unopenable due to any of several conditionshaving occurred. This delay period is a significant factor to defeat theuse of a dialer.

Microprocessor 44 provides outputs to a display 18. The display 18 iscapable of displaying numerals of at least two digits and arrowspointing in opposite directions. Symbols such as a lightning bolt for aerror symbol or a key symbol are used to indicate selection of thecombination change mode.

The preferred display 18 is a Liquid Crystal Display or LCD device whichhas the advantage of being a relatively low consumer of electricalpower. Low power consumption is a significant consideration since powergenerated by the rotation of the lock dial 14 is relatively small andmust be stored within the components of the electronics of the powercontrol and pulse shaping components 36 of the system.

The microprocessor 44 also has an output to the latch motor 46 whichacts to connect the latch 48 of the lock 10 to the bolt retractor 50.The latch 48 is an arm which when engaged with the bolt retractor 50 maybe pulled or pushed by the bolt retractor 50, when it is moved. A smallrotary motor 46 for moving the latch 48 is preferred. The latch 48 isconstrained by the lock housing 22 in FIG. 1, for sliding movement andis extended or retracted as necessary to lock or unlock the enclosure56.

Bolt retractor 50 is engaged with the retractor drive 30 by the link 52.The link 52 converts the movement of the retractor drive 30 and engagingpoint 58 into a linear movement of the bolt retractor 50.

The microprocessor 44 may be any suitable microprocessor manufacturedand sold on the market. However the preferred embodiment of theinvention includes a microprocessor designated 80C51F and manufacturedand sold by Oki Electric Industries Company, Ltd, of Tokyo, Japan.

The operation of the microprocessor is represented by the flow diagramof FIG. 3. The following description will explain the microprocessor 44logic operations and flow as the lock 10 is operated.

Microprocessor Operation and Control

Referring to FIG. 3, the system begins functioning when the generator 29provides sustaining power to the electronic logic or microprocessor 44.This is represented by operation 800.

When the power is sufficient, the first function of the system is toclear the total try counter in operation 810. This permits the openingof the lock 10 with the authorized combination even if the lock 10 hadbeen disabled due to a sufficient number of erroneous combinationentries to prevent the lock from opening.

Thereafter, the Random Access Memory (RAM), within the microprocessor 44is initialized and all bit switches or flags are reset to their defaultconditions, in operation 812. This conditions the system to acceptinputs from the dial 14 of the lock 10.

The random number generator of the microprocessor 44, in operation 814,generates a random number between 00 and 99 and loads the number intothe combination counter. This provides the system with a starting pointfor the electronics to work from in the accepting of combination elemententry.

In operation 816, a determination is made as to whether this operationis the result of a power on entry into the system or a restart entryinto the system. If this operational sequence of the system is due topower on, the flow is to operation operation 818 where the direction ofthe dial 14 determined from the phase relation of the pulses. If thedial 14 is being rotated in the counterclockwise direction, the flowbranches to operation 822. However, if the rotation of the dial 14 isclockwise, then the seal counter number is displayed, in operation 820,until the dial 14 is turned counterclockwise.

The flow from operations 818 and 820 both converge on operation 822where it is ascertained if the error counter contains a count greaterthan 2. If not, the flow branches to operation 826. If the error countercontains a count of 3 or more, the flow is to operation 824 where thenumber is displayed on display 18. The operator is shown the number ofunsuccessful attempts made to open the lock since the last successfulentry attempt.

Thereafter the flow is to operation 826. In this operation there is adecision as to whether the watch dog flag is set. The watch dog flag,when set indicates whether the lock has been left with the dial unmovedor the dial has not stopped for more than 40 seconds. If the flag isset, then the flow branches back to just prior to operation 812 wherethe lock is reinitialized and the lock conditioned to be opened with anew combination entry attempt.

When the watch dog flag is not set, operation 828 will determine if thedial 14 has been reversed and if so the flow is block 830 whichrepresents the subroutine shown in FIG. 16. Following rentry to the mainsystem flow from FIG. 16, the direction change is processed in operation832 and a check is made in operation 834 as whether the display switchor bit is set ON. If the determination in operation 834 is true, thenthe subroutine in FIG. 4 is entered and completed and the combination isthen displayed in operation 838. When the display bit or switch is noton, then the flow branches back to the just prior to and reentersoperation 826.

Referring to FIG. 16, Block 830 represents entry into the subroutine,and the numbers in the combination counter are saved as an element ofthe combination in operation 850. Thereafter the decision is made inoperation 852 as whether all elements of the combination have beenentered. If not, the flow returns to the main system flow and reentersat operation 832.

If all the numbers for the combination have been entered, then there isa determination at operation 854 as to whether the operation of the lockis conditioned for single combination operation; and if true, thecombination is compared with the stored authorized combination inoperation 856. If on the other hand the lock is not conditioned forsingle combination operation, the flow branches at operation 854.

If at operation 856, the combination does not match then the errorsignal is set and the error counter is updated by incrementation by one,in operation 860, and then the flow is to the restart entry point 862 inFIG. 15.

Referring back to FIG. 16, if the combination matches in operation 856,the ports 62 of microprocessor 44 are checked to see of the change key60 has been inserted. If the change key 60 has been inserted into theports 62, then the flow is to block 864 which represents the subroutineshown in FIG. 17. Upon completion of the routine of FIG. 17, the flowreturns to operation 866 where the new combination is gotten andconfirmed and used thereafter as the authorized combination, inoperation 866. Then the flow is directed to the restart entry point inFIG. 15, operation 862.

If the change key 60 has not been inserted, then the flow at operation858 branches to the subroutine in FIG. 18 as represented by block 868and upon completion of the routine in FIG. 18, the lock is opened inoperation 870. Thereafter, the flow is to restart entry 862 in FIG. 15to await any further action.

Referring first to FIG. 17, the condition of the lock is checked to seeif a second combination is required to open the lock, in operation 900.If not the flow branches around operation 902, to operation 904. If asecond combination is required to open the lock, then the secondcombination is gotten in operation 902, from the dial input.

In operation 904, the type of operation is selected such as single, dualor senior/subordinate operation. In operation 906 if the determinationis that it is a single combination mode of operation, the flow is tooperation 908 which represents the subroutine shown in FIG. 19; when theroutine in FIG. 19 is complete, the flow will return to Block 910 wherethe single combination is acquired for the dialing procedure.

If the determination at operation 906 is that the lock is operating in amode other that a single mode, the flow is to block 912 which representsthe subroutine of FIG. 20; and when that subroutine is complete, theflow is back to operation 914 where the operation receives twocombinations and thence to the main routine in FIG. 16 at operation 866.

Referring to FIG. 16, block 868 represents the subroutine shown in FIG.18. In FIG. 18, the error counter is checked, in operation 952 todetermine if the count is greater than 9 and if the number is greaterthan 9 the flow is to operation 968 where the display is blanked and tooperation 970 where the microprocessor 44 is locked up or disabled. Theroutine then ends at operation 970. The electronics 24 must then powerdown prior to reinitiation of operation at power on entry at 800 in FIG.3.

When the error counter is 9 or less then the time of entry of thecombination is checked; if less than 15 seconds, the flow is tooperation 960. If the dialing time to enter the combination is greaterthan 15 seconds, then the flow is to operation 956 where the total timeof dialing is ascertained and compared to 5.12 seconds. If the time isgreater than 5.12 seconds, then the flow is operation 960, and if less,then to operation 958 where the amount of dial rotation without a stopis compared to 480 degrees. If more than the 480 degrees, the flow is tooperation 960. If less than the predetermined 480 degrees, then thewrite new combination flag is checked at 963 and if ON then the newcombination is written to memory in operation 965. Thereafter, thecombination is read and rewitten to combination memory in operation 966and the flow continues to 962.

Then the open lock subroutine of FIG. 21 is accessed in block 962, withthe flow returning to operation 964 which opens the lock. Thereafter theflow returns to operation 870.

Referring to FIG. 21, in operation 970, the lock is opened and the errorcounter is reset, as the contents of the error counter is representativeof unsuccessful attempts to open the lock 10 following the lastsuccessful operation. Further, the seal counter is updated byincrementing its contents by one to reflect the latest successful entry.Then the flow returns to operation 964.

Dual and Senior/Subordinate Combination Feature

Referring to FIG. 16, operation 854, if the lock 10 requires more thanone combination to unlock the lock 10, then the flow branches toOperation 874 where it is determined if the lock is a dual combinationtype operation. When the operation is a dual combination type operationthe combination match is checked in operation 876 and if the combinationdoes not match either authorized combination, the the error flag ischecked at 877 and if ON the error signal is activated, the lightningbolt is displayed in operation 860 and the error counter updated. Theerror flag is then reset at 861.

Should the error flag be OFF in operation 877, the the error flag is set879. The flow from operations 879 and 861 is to restart entry 862.

When the combination matches, the ports 62 of the microprocessor orlogic control device 44 are checked to see if the change key 60 isinserted. If not, the decision is made in operation 880 as to whetherone combination has already matched and, if so, the flow is to thesubroutine in FIG. 18. and then back to operation 870, previouslydescribed. If operation 880 determines that no previous combination hasbeen matched, then a flag is set in operation 882 to indicate that onecombination has been matched. Then the flow is from operation 870 or 882back to the restart entry point 862.

Referring to operation 874, if the lock is not conditioned to open inresponse to a dual combination entry, then the flow branches tooperation 858, previously described and if the key 60 is inserted thento block 864 and 866 and then to restart entry 862, all previouslydescribed.

If the change key 60 is not inserted into the ports 62, the combinationis compared in operation 890 to the senior combination and if matched,then the senior combination flag is toggled on/off in operation 892.This either enables the subordinate combination or disables theacceptance of the subordinate combination respectively.

When the combination does not match the senior combination in operation890, operation 894 checks to see if the senior flag is set ON and, ifso, the combination is checked against the subordinate combination inoperation 896. If either of the operations 894 or 896 test not true,then the flow from the respective operations is to operation 860 whichhas been previously described.

When the combination matches the subordinate combination in operation896, the flow is to block 868 which represents the subroutine in FIG.18, which has been previously described, together with operation 870.The flow from operations 860 or 870 is to restart entry 862 in FIG. 15.

Referring to FIG. 17, block 912 represents the subroutine illustrated inFIG. 20. Upon entry to the subroutine in FIG. 20 the new combination isacquired or read from the dialing operation as the first of twocombinations, in operation 1000. Then in operation 1002, the combinationis flashed back to the operator, permitting the operator to observe thecombination that has been entered and changed. After the the combinationhas been flashed back to the operator for several sequences, the logiccontrol will flow to operation 1004 where the new combination, thesecond of two, is read from the dialing operation; the new, secondcombination is flashed back to the operator for verification. After thethe flashing ceases, as in operation 1002, the message “PO”, standingfor Pull Out is displayed on the display 18 to tell the operator to pullthe change key 60 from ports 62. At this point, in FIGS. 19 and 20 atoperations 1058 and 1012 respectively, the change key symbol is turnedoff and a message “CC” is displayed to prompt the operator to confirmthe combination(s) by entering the new combinations(s). Thence, the bolt26 is retracted and the new combination(s) are stored in combinationmemory, completing the change of combination operation.

After the message “PO” is displayed, operation 1010 will continue tosample the ports 62 to determine whether the change key 60 has beenremoved. The looping and sampling will continue until the key 60 isconfirmed as removed, whereupon, in operation 1012, the write newcombination flag is set and the flow returns to the flow in FIG. 17 atoperation 914.

Referring again to FIG. 17, Block 908 represents the subroutineillustrated in FIG. 19. Thus block 908 is expanded into a subroutine andwhen the subroutine in FIG. 19 is complete, the flow returns tooperation 910 of FIG. 17.

In FIG. 19, the flow enters the subroutine at 908 from FIG. 17 and thenew combination is read or retrieved from the combination memory inoperation 1050.

To allow operator verification, once the combination has been retrieved,it is flashed back on the display 18 to the operator. After thecombination has been displayed to the operator, operation 1054 signals amessage “PO” to the operator prompting the operator to Pull Out thechange key 60 from the ports 62.

The electronic control of the lock then attempts to verify in operation1056 that the change key 60 has been removed for ports 62, signifyingthe completion of the combination change; if the key 60 has not beenremoved, the logic-operations continues to verify until such time as thekey 60 is removed. Only when the key 60 has been removed, will thecontrol logic flow progress to operation 1058 where the the newcombination flag is written into memory. Thereafter the flow returns tooperation 910 in FIG. 17.

Block 836 of FIG. 3 is further expanded in FIG. 4. Referring to FIG. 4,the flow enters at block 826 and then converts the tens data to segmentdata. The display 18 is of the type where the numbers displayed are madeup of segments that are turned on or turned off and the ones turned onin conduction with the others turned off form contrasting bars againstthe background of the display, making visible numbers. This operation1100 converts, thru a table look up, the number in the tens position ofthe display, to data bits, ones and zeros, necessary to turn on or offthe segments of the display in the tens position.

Next a check in operation 1102 is made to a certain if the display isdisplaying a combination number or a number which represents the mode ofthe lock 10. The mode of the lock is set, to condition the lock 10 to beopened with one combination, a minimum of two combinations or acombination which must be entered before any second combination isentered, known as the senior/subordinate mode. When the display 18 isresponding to the operation of the lock 10 to indicate what mode it isto operate in, the display 18 is displaying a single units digit and nozero in the tens position. During this phase of the lock 10 operation,operation 1102 will pass the flow to operation 1104 where the segmentdata for the tens position of the display 18 will not be set. When thelock 10 is in its normal operational mode of accepting combinationinput, the flow is through the NO path from operation 1102 aroundoperation 1104, to operation 1106 where the units data is converted tosegment data in the same manner as the conversion in operation 1100.Then the lightning bolt, key and left and right arrows are set ON or OFFas appropriate.

After the conditions are set, the display data is written to the display18 to cause the display to show the appropriate symbols, in operation1110. Thereafter the flow returns to operation 828.

With this understanding of the operation and control of themicroprocessor, the operation of the microprocessor will be describedwith respect to the several security features.

Random Number Start

As the dial 14 of the lock 10 is rotated and pulses from the generator29 are shaped and transmitted to the microprocessor 44, data isgenerated and passed as input to the microprocessor to input combinationnumbers to the system. On mechanical combination locks the dial has onits periphery marks and numbers that the operator must align with aguide mark to properly position the wheels in the lock. With thisinvention, not only are there no such marks or numbers, but theelectronics 24 must generate the signals representing the numbers whichactivate the LCD device to display numbers for observation by theoperator. If the first number displayed at the beginning of a movementof the dial 14 to increment or decrement the numbers displayed, were insome relation to earlier numbers entered into the lock or wereconsistently the same, a dialer could be programmed to account for thatdatum point. Only one unsuccessful attempt to open the lock 10 would benecessary for the attacker to ascertain the relationship. In the instantinvention, the microprocessor 44 has included within its capabilitiesthe ability to generate psuedo random numbers between 00 and 99. Therandom number generated is displayed and used as a base point or datumpoint from which to start that sequence to enter a number of thecombination.

Referring to FIG. 3A, at block 814 the random number generator of themicroprocessor 44 generates or picks a number between 00 and 99inclusive in operation 102. This number is entered into the combinationcounter of the microprocessor 44 and displayed on the display 18.

As the dial 14 of the lock 10 is rotated, the generator 29 provides apulse train with one pulse corresponding to the rotation of the dial 14by an amount of choice, typically one pulse for each three degrees ofrotation. The generator may be a permanent magnet stepper motor and theresolution of the motor steps will dictate the number of steps perrevolution and thus the resolution of pulses for any amount of rotation.

The pulses are then counted and the microprocessor 44 determines thenumber of pulses necessary for the microprocessor 44 to increment ordecrement the number on the display 18 by one and increments ordecrements the displayed number by one, as will be explained withrespect to FIG. 13. The flow in FIG. 13 and subordinate routines controldirect in and other facits of the operation.

From the foregoing, it can be seen that the random number generator ofthe microprocessor 44 will start each number entry sequence at a randomnumber which will in all probability not be the same as that of anyother sequence in the lock opening operation. This prevents the dialerfrom being able to increment the numbers entered in an up or downdirection, from a known starting point. This severely restricts the useof a dialer. This feature of the operation of the lock significantlyimproves the security of the lock by defeating one significant method ofsurrepticious attack on the lock 10.

Fast Entry Lock Out

Since the main purpose of a dialer is to attack a combination lock byvery rapid dialing of all the combinations necessary to open the lock,it is desirable to slow down the entry of lock combinations. By slowingthe acceptable entry of a combination, it insures that the lock willstatistically withstand such an assault for a longer time. If a dialerwere devised to overcome some or all of the other safeguards andfeatures of the lock, slowing the acceptable entry rate will reduce thenumber of entries that may be attempted in a given period of time. Sincetime is an enemy of the attacker, and exposes them to detection overlonger time periods, anything that will delay the attackers success isof great importance.

Accordingly, the electronic lock 10 is provided with a timer within themicroprocessor 44 which times the period from power-on until the entryof the last number of the combination. The logic flow diagram of FIG. 5illustrates the flow for this security enhancing feature of the lock 10.FIG. 5 is an expansion of Operation 954 of FIG. 18.

The internal clock timer of the microprocessor 44 is started at power-onwhen the microprocessor 44 is supplied sufficient power from the pulseshaping and power control 36 to operate the electronics 24 asrepresented in block 150. The lock electronics 24 will then accept theentry of the combination numbers normally, as illustrated in block 152.In decision block 154, the condition is tested as whether all numbers ofthe combination have been entered; and if found to be false, then theflow loops back to just prior to operation 152 which allows the nextcombination number to be entered. When the condition tested in operation154 is satisfied, the loop is exited and the flow is to operation 156where the time from the start of operation, is contained in the timerthat was started in operation 150, is tested to determine if the elapsedtime has been greater than a predetermined time period. For example, thetime period may be selected to be 15 seconds, since a human beingoperating the lock dial 14 will take longer than 15 seconds to enter thecombination, normally. Thus it may be safely assumed that any entry inless than 15 seconds is an attempt to attack the lock with a very rapidnon-human device such as a dialer.

If the time is less than 15 seconds, then the flow branches to operation162 where a signal is displayed indicating an error. The symbol of thepreferred embodiment is a lightning bolt. After the error is signalled,the lock logic flow returns to the main system flow and the lock willnot open until a correct combination is entered and the entry time isgreater than 15 seconds.

If the time period is determined to be greater than 15 seconds, inoperation 156, then the flow is to operation 158 where the combinationis tested or compared with the correct combination of the lock 10 by themicroprocessor 44; if not correct, the error signal is displayed inoperation 162.

If the combination is found to be correct in operation 158, the lock isopened or a change of combination is effected, in operation 160, whenthe change key 60 is inserted in the change key ports 62 of themicroprocessor 44. Use of the change key 60 will be discussed in moredetail below.

The testing and signaling of an error when the combination is toorapidly entered acts to defeat the operation of a dialer. Accordingly,the selection of a minimum time which must be exceeded in the entry of acombination enhances the security of the lock 10.

Maximum Entry Time Feature

If the lock is dialed by an attacker and the correct combination is notentered in a period of time that is preselected, such as for example,5.12 minutes, then it is assummed that the lock is under attack by somedevice or a persistent individual. The security features of the lock 10are primarily aimed at the defeat of a dialer, and may not be triggered,but the lock needs to be protected from attack by an individual. Thus,if the dialing time exceeds the maximum, then an error is signaled andthe lock will not open.

The logic operations for this feature are shown in FIG. 6 which is anexpansion of operation 956 of FIG. 18. With operation 200, an elapsedtime timer, of the same type as used in the flow diagram of FIG. 5, isstarted at power-on. The numbers of the combination are then allowed tobe entered in operation 202, and after each number is entered, thecombination is tested in operation 204 to determine if the last numberof the combination has been entered. If the last number has not beenentered, the flow loops back to just prior to operation 202 to permitthe entry of the next number of the combination.

After the last number of the combination is entered, in operation 202,and the determination of operation 204 is satisfied, the content of thetimer is tested to determine if the total time elapsed since power-onhas exceeded 5.12 minutes, as an example. If the time period has beengreater than 5.12 minutes, the lock electronics 24 signals through thedisplay 18 an error signal, as shown in operation 212 and the lock willnot open. The lock is at this point unable to open since there is asignal to prevent the unlocking of the lock 10 and the lock will notopen, even with a correct combination, since operation 210 is bypassed.The lock will continue to accept the input of numbers to the lock andwill open if the next combination entry is correct. With an entry timeexceeding 5.12 minutes there is sufficient delay that an additional timeof 90 seconds to power-down the lock is not a significant deterrent.

When the test of the time period elapsed is less than the predeterminedtime period of 5.12 minutes, for example, the logic flow is directed atoperation 206 to operation 208 where the combination is checked forcorrectness; and, if correct the lock is opened or the combination ischanged when the change key 60 is resident in the ports 62 of themicroprocessor circuitry in operation 210.

If on the other hand the combination entered is incorrect, the errorsignal is displayed in operation 212.

Since short times are an advantage to the security of the lock and longperiods of operating time are advantageous to the attacker, theadvantage to attacker is removed.

Maximum Unattended Period Safeguard Feature

A common and serious security violation is to enter the first twonumbers of a combination so that the third number may be entered at alater time with a minimum of delay in accessing the enclosure. Thispractice allows one who knows only the last number of a combination toaccess the enclosure.

The electronic lock disclosed herein has a capability to defeat apartially entered combination and thus return the lock to a scrambledlocked condition. FIG. 7 represents the logic flow of the maximumunattended period feature of the lock 10. The feature starts withpower-on, in operation 250. As power-on is accomplished, a timer is setto the period of time selected for this feature. A preferred period oftime is typically 40 seconds. The microprocessor 44 then checks to seeif the dial 14 of the lock 10 has stopped rotating for a period at leasta predetermined amount such as 220 milliseconds, by way of example. Thisperiod is slightly less than that necessary for the operator to releasethe knob and regrasp the knob of the dial 14 and start to rotate thedial 14. If the dial has stopped for more than the minimum stoprequired, the logic loops back to just prior to operation 252 toeffectively reset the timer to the predetermined period each time thedial 14 is allowed to remain motionless for the required stop periodfollowing a rotation. If the required dial stop period is not met, thenthe flow of operations is from operation 254 to operation 256 where theunattended timer is polled to see if the period of 40 seconds hasexpired. If it has expired, the the lock has not been operated withinthe allotted time and is not allowed to unlock because the electronics24 have been signalled to not open the lock. This operation is on aninterrupt basis and after the operation, the overall system operationcontinues.

If the timer has not expired, the flow branches from operation 256around operation 258 and back to the main system operation as theinterrupt is completed, at restart entry 862.

This features affect is that if the dial 14 of the lock 10 is not tunedwithin 40 seconds or if the dial is has not stopped for a period of 220milliseconds within the 40 second timer period, the numbers of thecombination already entered are ignored and are not effective to formpart of the combination to unlock the lock. This prevents the operatorfrom entering the first two numbers of the combination and waiting untilsignificantly later to enter the third number of the combination toquickly open the lock 10.

Dial Rotation Limit

The use of the human hand to rotate the dial 14 of the lock 10 resultsin the dial 14 being turned a partial turn and the dial 14 stopped andthe hand repositioned to attain a new grasp of the dial 14 prior to thenext turn. If the dial turns more than what a normal hand/wrist willpermit, the lock typically is being operated by a dialer or similardevice. To sense this and to prevent the lock 10 from opening, theamount of dial rotation without a stop is detected. This feature of theinvention is illustrated in FIG. 8, which is a more detailed expansionof operation 958 of FIG. 18.

After power-on in operation 300, the pulses from the generator 29 aremonitored and it is determined whether the dial 14 has stopped turning,in operation 302. If the determination of operation 302 is that the dialhas not stopped turning, then the logic control flow loops back to justprior to operation 302 and the pulse output of the generator 29 is againmonitored. This loop continues until the dial 14 is detected as havingstopped turning. When the dial 14 has stopped the logic flow branchesout of the loop to operation 304 where the number of pulses generatedsince the last dial stop is determined and compared with 160 pulseswhich is the number of pulses generated by the rotation of the dial 14by 1.33 turns or 480 degress.

If the dial has rotated more than the predetermined amount of 480degrees without a stop of the dial the flow is directed to operation 306where the lock electronics 18 are signaled to not open, even if thecorrect combination is entered.

As described above, the operation of the lock 10 by a person is notinhibited while the operation of the lock 10 by a dialer or othersimilar device is severely inhibited because the lock will not respondto the correct combination after the dial is rotated for more than 1.33turns without stopping. If the dial stops for less than the amount oftime necessary for the lock electronics 18 to recognize a dial stop,then the timer is not reset and the lock 10 will at the end of the timeperiod, be rendered unopenable, as in FIG. 7, until the lock powers downand is reset by a new power-on sequence. Thus if a dialer is used andthe lock is rendered unopenable, the subsequent inputs by the dialer arenot recognized, even if correct, and the enclosure is not openable.

Dial Stop Initiated Reversal of Number Sequences

The dial 14 must physically stop rotating whenever a number of acombination is reached and the number is entered into the microprocessor44 as an element of the combination. However the time that the dial 14is motionless is important since the reversal of the dial 14 of the lock10 is used to detect that a number is to be entered into the combinationelement storage locations of the microprocessor 44. If the stop periodis too short, microprocessor 44 will not recognize the stop and therotation of the dial will continue the incrementation of the numbers inthe same direction, increasing or decreasing, as was in effect prior tothe stop and reversal of the dial. This has the dual effect of furtherdestroying the relation between the dial 14 rotation and the numbersdisplayed and operated on by the microprocessor 44, and to prevent theentering of the number displayed at the time of the stop. The operationof the logic is illustrated in the flow diagram of FIG. 9.

With power-on, the pulse output of the generator 29 is monitored and adetermination made as whether the dial 14 has stopped, in operation 352.If the determination is in the negative the flow loops back to againpass through the decision operation in operation 352 until the result isin the affirmative. At that time the flow branches out of the loop andis directed to operation 354 where the time period is tested as towhether the stopped period exceeds 220 milliseconds, the minimum timeperiod that is necessary to recognise a valid stop condition. If thetest in operation 354 is met then the flow is to operation 356, where itis determined whether the dial direction reversed based on pulsepolarity. If there was a direction reversal then the direction flag isset reversed from the prior direction. This is accomplished by thesetting of a direction flag in the memory of the microprocessor 44.

This flag will also be used by the microprocessor 44 to control display18 to show an arrow in the appropriate direction.

If the result of operation 354 or operation 356 is in the negative, thenthe logic flow branches around the operation 358 and leaves thedirection uneffected, resulting in any further input pulses from dial 14rotation changing the numbers displayed in the same direction (increaseor decrease) as they were being changed prior to the detecting of a stopof the dial 14 for a time period insufficient to cause reversalrecognition. Accordingly, the use of a dialer to attack the lock 10 isagain interfered with and defeated.

Excessive Error Lock Out

If an attempt to unlock the lock 10 is made and the attempt isunsuccessful, the operator will attempt to unlock the lock 10 again andin all probability will be successful within a very few additionalattempts if the operator is in possession of the authorized combination.However, if the operator is not in possession of the authorizedcombination and is trying the lock in either a systematic or randommanner, the microprocessor 44 will keep a count of the incorrectattempts to unlock the lock 10 and if the number of incorrect attemptsexceeds a predetermined number of attempts, the lock may be eitherdisabled from further attempts by blanking the display 18 or displayingan error signal to indicate that the combination entered is erroneous,for each subsequent combination, notwithstanding the entry of thecorrect authorized combination. This safeguard is incorporated in thesoftware microcode contained in the memory of the microprocessor 44 andillustrated in the logic flow diagram in FIG. 10.

Referring to FIG. 10, when the lock is powered by the rotation of thedial 14 and generator 29, as represented by operation 400. The numbersof the combination are allowed to be entered into the microprocessor 44as represented by operation 402.

Thereafter, in operation 404, a check is made as to whether all numbersof the combination have been entered and if the result is negative, theflow branches back to just prior to operation 402, with the acceptanceof the remaining numbers of the combination.

The total try count is the number of unsuccessful attempts to open thelock since the last successful attempt to open the lock 10. When thenumbers of the combination have been entered, the answer to operation404 is affirmative and the logic flow branches to operation 406 wherethe total try count is checked to find its value. In operation 406, thetotal try count is compared to a predetermined number such as 10 and ifgreater than or equal to 10, the microprocessor is conditioned to signalan error symbol on the display 18 in operation 415. The LCD display 18is then interdicted and is blanked to prevent displaying numbers orsymbols, thus effectively preventing the entry of any numbers into thelock 10 in an effort to enter the combination.

The lock remains inoperative until it is left unoperated for a period tobleed down the power stored internally. Once the power of the capacitoris bled down, the power to the microprocessor 44 is insufficient tomaintain the flags that are set to indicate that the lock 10 is disabledand the lock 10 becomes functional again. The preferred time periodnecessary for power-down is selected to be sufficiently long to be asource of irritant to an attacker, but not so long as to be a majorinconvienence to an authorized operator. A preferred time period forpower-down is 90 seconds.

If the total try count is less than 10, for example, then the logic flowis directed by operation 406 to operation 408 where the combination justentered is tested to determine the correctness of the combination.

When the combination is not correct, then the logic flow is branched tooperation 410 and the total try count is incremented by one, reflectingthe latest unsuccessful attempt to unlock the lock 10. Thereafter themicroprocessor 44 is signaled to cause the displaying of an error symbolon the display 18 in operation 414 and then the flow returns to the mainlogic flow of the system.

Another embodiment would be that the signaling of an error in operation414, as a result of a Yes result in operation 406, may set a flag in thememory of the microprocessor 44 which can be used by the microprocessor44 to prevent the opening of the lock 10 even if a correct combinationis entered. In this case, operation 415 would not exist. In this mode ofoperation the display 18 continues to display numbers and symbols as itcontinues to function, thereby suggesting to the operator that the lockis still working and capable of opening upon the entry of the authorizedcombination, notwithstanding the fact that the lock is conditioned torefuse to open after the tenth consequtive erroneous attempt to open thelock.

When the combination compares correctly with the authorized combinationof the lock 10 in operation 408, the lock 10 is conditioned to open orto change the combination if the change key 60 is inserted into theports 62 of the microprocessor 44. Thereafter the logic flow stops.

Varible Incrementation of the Display

To further-foil and defeat the abilities of a dialer, the lock 10 isprovided with a scheme of varying the number of pulses of the generator29 that are required to update the display 18 to cause it to display thenext smaller or larger number. The benefit of this scheme is as thespeed of rotation of the dial 14 of the lock 10 increases, the rate ofchange of the displayed numerals increases until the rate of change isset by the fastest rotational rate and then the relationship of the rateof change of the displayed numbers to the number of pulses from thegenerator remains constant for the remainder of that rotational movementof the dial 14, until the dial stops, even if the rotational speed ofthe dial slows during later stages of rotation. The effect is to reducethe correlation of the number change rate on the display 18 and theextent of rotation of the dial 14.

FIG. 12 is a flow diagram which represents the decisions made by themicroprocessor 44 to determine the speed at which the dial 14 is beingturned, which is then used to set rates at which the the numbers arechanged. Returning to FIG. 2, the generator 29 outputs pulses on lines38 and 40 which are out of phase. The out-of-phase relation is used todetermine the direction of rotation of the dial 14 and the magneticportion 28 of the generator 29. The phase 1 line 38 conveys pulses whichare used to indicate rotational displacement of the dial 14. Thegenerator 29 is configured such that a full rotation of the dial willcause the generator 29 to create 120 pulses.

The pulses on the phase 1 line 38 are connected to an interrupt bit inthe microprocessor 44. Accordingly, each pulse interrupts themicroprocessor 44. The interrupts are used to start and stop timers andcounters.

Dial reversal is detected when seven phase 1 pulses are detected and thepolarity of at least 6 of the phase 2 pulses are of the same polarity.Thus when the dial is reversed, the polarity of the first phase 2 pulseto be received has been preceeded by six phase 2 pulses of the priorpolarity. As each succeeding phase 2 pulse is received the count ofphase 2 pulses of the new polarity increases until when the sixth phase2 pulse of the new polarity is detected, the voting scheme is satisfiedand the new direction of rotation is determined. The microprocessor 44times the interval between the phase 1 pulses and thereby detects therotational speed of the dial 14. The speed is not sampled until afterseven phase 1 pulses have been received, to avoid speed detection whenthe dial 14 is not being turned enough to provide a reliable input.After seven pulses have been received the six interpulse times areculled by discarding the shortest and the longest and the mean of theremaining times determined and used. This approach to filtering ofvalues acts to filter out noise.

As each speed criteria is met in ascending order of speed, that speedindicator is set and retained for the remainder of the dial turn; whilethe speed indicator is not reduced if the dial slows down during thatdial turn, the speed indicator may be increased as speed increases.

A further filter to eliminate spurious conditions which could lead tounreliable results is that the middle and high speed indicators in themicroprocessor 44 are locked out or rendered ineffective unless at least10 phase 1 pulses have been detected by the microprocessor 44 since thelast valid dial stop. This filtering of the inputs insures that themiddle and high speed operation of the display 18 is prevented duringquick short burst turns of the dial 10.

The Microprocessor 44 has within it a counter that is designated as thecombination counter, which counts the numbers and the numbers aredisplayed on display 18, as well as being available for the internalprocessing of the number for use iii the combination. The combinationcounter is incremented/decremented, based on the number of pulsesreceived by the microprocessor 44. The number of pulses necessary varybased on the dial speed as decided by the voting scheme described above.

The preferred and exemplary conditions for changing the combinationcounter are presented tabularly below. SPEED CHART TIME INTERVAL PULSESPER BETWEEN PULSES COMBINATION SPEED FLAG MINIMUM COUNT Lock out 2.57msec 2 High 5.14 msec 2 Middle 8.56 msec 5 Low 64.2 msec 3-13 Creep  220msec 3-13

As can be seen from the table, the counter and the display isincremented by one unit for each five pulses if the interpulse timeinterval is less that 8.56 msec but more than 5.14 msec and the middlespeed flag is set.

The lock out flag is set only during the actual opening cycle of thelock 10 (turning the dial 14 to retract the bolt 26 from strike 56), toinhibit the bolt 26 from being retracted if the dial 14 is turned toofast. If the bolt 26 is engaged with the bolt retracter 50 when the dialis being turned too fast, physical damage to the lock mechanism mayresult.

The incrementing of the combination counter is accomplished for thefirst three pulses of a turn in the low or creep speed and thenthereafter with each 13 pulses. This is to provide the operator a visualfeedback early in the operation at these speeds and then to slow theincrementing to the desired rate thereafter, for the same dial turn.

In the high speed-mode or operation, all numbers are sent to the display18. Due to the response time of the display and the ability of the humaneye to receive and process images only at relatively slow speeds, it mayappear that numbers are being skipped by the display 18.

For a better understanding of the logic operations necessary to controlthe speed of the change of the combination counter and display 18,reference is made to FIG. 12. As the interpulse time period isdetermined by the detection and voting scheme described above, the timevalue is compared in operation 450 to the time interval standard for thelock out mode, i.e., 2.57 msec, and if the interpulse time is less thanthe standard, the lock out speed flag is set in operation 452. If thetime period is greater than the lock out speed mode time standard, theflow is from operation 450 to operation 454 where the interpulse timeperiod is compared with the high speed time standard of 5.14 msec and ifthe time interval is less than the high speed time standard the flowbranches to operation 456 where the high speed flag is set. Similarly,the interpulse time period is compared to the middle speed time standardand the slow speed time standard and the appropriate speed flags set.

The setting of a speed flag results when the flow is diverted from theseries of decision operations 450, 454, 458 and 462. The flow is thenthru flag setting operations 452, 456, 460 and 464 as appropriate withthe resulting setting of all flags for speeds slower that the firstsatisfied speed condition.

Referring to operation 462, if the interpulse time interval is greaterthan 64.2 msec, then the only remaining choice of speeds is that ofcreep speed and the creep speed flag is set in operation 466. The flowfrom operation 464 or 466 is back to the main flow of the system.

As the dial 14 is turned the microprocessor 44 not only receives thepulses but after determining the speed at which the dial 14 is turning,then must update or increment the combination counter. This isaccomplished by the logic control operations represented by the flowdiagram of FIG. 13.

As the pulse flow into the microprocessor 44 continues, the the flags ofthe microprocessor 44 are checked to ascertain if the direction has beendetermined by the voting scheme as described above. This decision as towhether the direction has been decided is represented by operation 500.If the decision on the direction of the dial 14 rotation has not beenmade, it is premature to assess speed. This is not done until directionhas been determined, and the flow branches around all other operationsof the subroutine and returns to the main flow of the system.

If, on the other hand, the direction has been determined, the flow fromoperation 500 is to operation 502 where the high speed flag is checked.If the high speed flag is set, the microprocessor 44 is commanded toupdate the combination counter by one unit for each two pulses receivedfrom the generator 29, as represented by operation 504.

If the high speed flag has not been set then the middle speed flag istested to see if it has been set in operation 506. When the middle speedflag has been set, as determined in operation 506, the combinationcounter is updated by one unit for each five pulses as represented byoperation 508.

Similarly, if the flag for the middle speed is not set, a decision inoperation 510, is made as to whether this is the initial dial rotationat a low speed in this dial turn. If this decision operation results ina negative determination, then the dial 14 has been rotated at a lowspeed previously in this dial turn and the combination counter isincremented by one unit for each 13 pulses generated by the generator29, as represented by operation 512.

When the result of operation 510 is in the affirmative, the flow is tooperation 514 where the combination counter is updated by one unit foreach 3 pulses received by the microprocessor 44.

Following the updating of the combination counter, in response to any ofthe speed flags set or not set, the control reverts back to the mainlogic control of the lock 10.

Backup Feature

The backup feature is important in that it gives the operator a way torecover from an erroneously dialed number if the number has not beenentered and if the dialed number is less than 3 from target number. Thefeature does not compromise the security of the lock since the operationof the lock is to back up the number by four units upon any dialreversal. Thus, the backing up of the displayed numbers on the display18 does not indicate to the attacker that he has approached acombination number, since any reversal of the dial at any-number willresult in the four unit backup of the displayed number. Progressing pastthe backed up value and continuing the reversal movement enters thevalue of the number in the combination counter and on the display 18when the reversal occurred, as a combination number for latercomparison. The backup feature is operational on all dial reversals.

When dialing the combination, the operator may turn the dial 14 too farand pass the target number of the combination. While the dial may beturned additional revolutions and the target number selected anddisplayed, the preferred embodiment of the lock is to permit theoperator to reverse the dial direction for a short displacement with thenumbers displayed and contained in the combination counter changed to anumber four units displaced for the number displayed prior to backingup. After the numbers have backed up by four units, the dial 14 may thenbe turned in the direction that it was originally being turned, to againapproach the target number of the combination. The logic control of thisfunction is illustrated in FIG. 11.

When a number has been dialed and the dial 14 is stopped, the period ofthe stop is checked to determine if the stop time is at least 220 msecin operation 550; and if not, the stop is not recognized and the flowbranches around other operations in the subroutine to operation 560,where the combination counter and the display 18 are changed by oneunit.

On the other hand, if the stop time does exceed 220 msec then the stopis recognized as a valid dial stop, and the flow is directed tooperation 552 where a decision is made as to whether the dial reverseddirection. If there is no reversal of direction, there is no need toconsider the backing of the displayed numbers and the contents of thecombination counter. Accordingly, the branch is to operation 560, asdescribed above, and there is no effort to reverse the count and thefurther rotation is an attempt to reach a number as yet not accessed.

If the direction of the dial 14 rotation is reversed, then a flag calledthe backup switch is checked to ascertain if it is turned on. If thisbackup switch is on in operation 554, it indicates that the backupprocess is underway and the latest reversal of the dial 14 ispreparatory to the resumption of the operation of the dial 14 to dialthe target number of the combination. In this instance, there is no needto backup the numbers and, accordingly, the backup switch is reset inoperation 556, prior to changing the number on the display 18 and in thecombination counter by one, at operation 560.

When the status of the backup switch is tested in operation 554, if thestatus is off, then the flow is to operation 558. In operation 558, thenumber is changed by 3 and the backup switch is set. The finding inoperation 554 that the backup switch was not on indicates that the dial14 was turned but had not previously been reverse rotated; therefore,the reversal of the dial 14 should invoke the backing up of the numbers.

Thereafter, the flow from operations 556 or 558 is to operation 560where the number is changed by one unit. The net effect is that thenumbers displayed are changed by 4.

Error and Seal Counters

Referring to FIG. 15, the operation of the seal and error counters andthe display of their contents will be described.

When the lock 10 is powered on, in operation 600, the clockwise rotationof the dial 14 is checked for, at operation 602. If the rotation of thedial 14 is counter-clockwise, then the flow is branched around otheroperations to operation 608. However, if the rotation is clockwise, theflow is to operation 604 where the seal counter contents are displayedon the dial 18. The seal counter counts the number of times that thelock has been opened sucessfully.

After the contents of the seal counter have been displayed on thedisplay 18, if there is a clockwise turn of the dial 14, the logiccontrol flow branches and loops back to just prior to the displayoperation 604. When the rotation of the dial 14 is counter-clockwise, asdetected in operation 606, the error counter is checked to ascertain ifthe value stored therein is three or more, in operation 608. If thevalue in the error counter is three or larger, then the error countercontents are displayed in operation 610. The displayed number is thecount of times that the lock 10 has been dialed for access withoutsuccessfully opening it or when one of the security features has blockedthe lock 10 from opening. The count is from the last successful openingof the lock 10.

Two turns in the counter-clockwise direction will result in thecontinued display of the error counter contents, as illustrated inoperation 612. Two turns in the clockwise direction will branch tooperation 614 where the combination for the lock is allowed to beentered. After entry of the combination, operation 616 does a compare ofthe entered combination and the authorized combination and if theycompare true, the lock is conditioned to unlock in operation 618.

Since the error counter only accumulates the count of erroneous entryattempts since the last successful opening of the lock 10, with thecompare true on the combination, the error counter is reset as inoperation 620. Similarly, the seal counter counts successful combinationentries, and the seal counter is updated by incrementing its contents byone unit, as in operation 622.

Should the combination not compare true in operation 616, the errorcounter is incremented one unit in operation 624 to reflect theerroneous entry attempt. After the incrementing of the seal or errorcounters, the routine ends and the lock awaits any further input by theoperator. As discussed earlier, if left unattended for a sufficientamount of time, the lock will power down.

The combination of the error and seal counters provide a reliable,easily accessed, easily understood indication that the lock has beenoperated; and if the numbers are different, indicate either failure orsuccess by the attacker.

Lost Combination Resetting

The serial number of the lock may be used as a temporary combination toopen the lock and thus allow the setting of a new combination. Thisallows for circumstances where locks are placed in inventory and recordsof combinations are misplaced or memories lapse and no one remembers thecombination of an inventory lock.

Referring to FIG. 14, to open the lock so that the normal changecombination procedure may then be used, the change key 60 is inserted inthe lock 10. The lock 10, when powered on, operation 650, will detectthe presence of the change key 60 in ports 62 of the microprocessor 44,in operation 652.

If the change key 60 is detected, the open flag in the memory of themicroprocessor 44 is checked in operation 654. If the open flag is on,the serial number is not allowed by operation 656 as a combination,because the lock is open and was presumably opened with a correct andknown combination. However if the open flag or bit is not on, indicatingthat the lock 10 is locked, then the lock 10 is conditioned to acceptthe serial number of the lock 10 as a substitute combination, inoperation 658. This may be accomplished by the setting of a flag whichthen allows the comparing of the serial number which is stored in amemory associated with microprocessor 44, with the entered combination,rather than comparing the authorized combination.

When the change key 60 is not in the lock 10, as ascertained inoperation 652, the open bit is reset in operation 660, and thecombination entered is compared with the authorized combination inoperation 662; if good, the lock is unlocked and the open bit is set inoperation 664. If the combination is not good the logic flow branchesback to the beginning of the routine to await further input.

This scheme does not compromise the security of the lock since the lockmust be accessible for the insertion of the change key while the lock islocked, i.e., when the combination is scrambled and the open bit isreset. This prevents the covert insertion of the change key 60 when asafe or vault is open and the return at a later time to open the safe orvault 12 with the combination that might be changed using the serialnumber of the lock.

The insertion of the change key 60 into the ports 62 creates a conditionthat prevents the resetting of the open bit. As seen from operations 654and 658, the open bit must be reset for the serial number to be allowedin lieu of the authorized combination in the combination changeprocedure.

Lock Disablement and Recovery

Referring to FIG. 22, there is shown a feature in logic form, where ifthe error counter is incremented to a number larger than thatconcieveably needed for an individual with an authorized combination tooperate the lock, such as 50 times the lock can be disabled. Toaccomplish this a check of the error counter is done in operation 1200,where the error count is compared to the number, for example 50. If thenumber is not greater than 50 the flow would return. However, if thenumber is greater than 50 the lock out flag is set in permanent memoryat operation 1202 and then return. This flow could, if desired, beinserted in the flow of FIG. 18, between operations 868 and 952 at A.

Once the lock out flag is provided and the flow in FIG. 22 isincorporated into the flow of FIG. 18, the flow of FIG. 23 may beinserted into the routine shown in FIG. 18, between operations 958 and962, at B.

If this embodiment is incorporated into the flow of FIG. 18, then whenthe decision in operation 958 is negative, the lockout flag is checkedin operation 1250 and if not ON, the flow returns to B and continues.However, if the lock out flag is ON the microprocessor checks to see ifthe combination entered is the third consecutive correct combinationentry in operation 1252. If so, the lock out flag is reset at operation1254 and the flow is to return at B. If the combination is not the thirdconsecutive correct combination entry, an error is signaled in operation1256, the same as described in operation 960 of FIG. 18, and the flow isto restart entry 862, FIG. 3.

If desired, operations 1252 and 1254 may be omitted from the flow ofFIG. 23. When this occurrs, the lock cannot be reset and the lock mustbe drilled and replaced, since the flow of FIG. 23, without operations1252 and 1254 results in the lock being permanently disabled with no wayof recovery.

The foregoing routines that implement the functions and features operatewithin the system operations of the lock as is represented in FIG. 3 andthe Figures referred to from FIG. 3.

The preferred embodiment of this invention is to implement all thecontrol operations and hence the functions and operational features ofthe lock 10 in microcode in a microprocesser 44 of the type sold by OKIElectric Industries Company, Ltd., under the designation 80C51F. Othermicroprocessors by other manufacturers may be substituted for thepreferred device so long as the characteristics of the substituteddevice meet the needs of the lock 10.

The control of the microprocessor 44 is by microcode which is writtenaccording to the constraints defined by the device manufacturer andwhich are readily available from the device manufacturer of choice. Anyskilled code writer may code the microcode, given a program listing. Theprogram listing may be prepared for the the device of choice, followingthe constraints required by the particular microprocessor device chosen.The logic and operational flow diagrams contained in FIGS. 3-23 areapplicable to any microprocessor and accordingly, teach one of skill inprogramming the necessary operations to operate the lock. Theorganization of the logic flows is exemplary and may be modifiedaccording to the desires of the programmer and code writer.

The foregoing is the preferred embodiment of the invention. It isrecognized that changes and modifications may be made to the embodimentof the invention without departing from the scope and the spirit of theinvention and such changes and modifications reside within the scope ofthe claims below:

1-36. (canceled)
 37. An electronic combination lock, comprising: ahousing; a data input device operative to allow the input of first andsecond separate combination codes; a lock bolt movable from a lockedposition to an unlocked position relative to said housing; a controloperative to selectively allow movement of said lock bolt from thelocked position to the unlocked position after input of the first andsecond separate combination codes using said data input device; and anindicator operatively coupled with said control and operative toindicate to a user an incorrect input of the first combination code onlyafter the correct or incorrect input of the second combination code. 38.The electronic combination lock of claim 37, wherein the first andsecond combination codes must be input with the data input device in apredetermined order.
 39. The electronic combination lock of claim 37,wherein the first and second combination codes each comprise a series ofnumbers.
 40. The electronic combination lock of claim 37, wherein thedata input device further comprises a dial.
 41. A method of operating anelectronic lock including a data input device and a lock bolt movablebetween locked and unlocked positions, comprising: inputting a firstcombination code with the data input device; inputting a secondcombination code with the data input device; and indicating only afterthe input of the second combination code that either or both of thefirst and second combination codes are incorrect and are therefore notsufficient to enable movement of the lock bolt between the locked andunlocked positions.
 42. The method of claim 41, wherein the first andsecond combination codes each comprise a series of numbers.
 43. Themethod of claim 41, wherein the first and second combination codes mustbe input in a predetermined order.